netflow reliable export with sctp · configuring netflow sctp export for one export destination and...

NetFlow Reliable Export With SCTP

NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. It isemerging as a primary network accounting and security technology. This document describes the NetFlowapplication and the new NetFlow Reliable Export With Stream Control Transmission Protocol (SCTP)feature.

The NetFlow Reliable Export with SCTP feature adds the ability for NetFlow to use the reliable andcongestion-aware SCTPwhen exporting statistics to a networkmanagement system that supports the NetFlowdata export formats, such as a system running CNS NetFlow Collection Engine (NFC).

• Finding Feature Information, page 1

• Prerequisites for NetFlow Reliable Export With SCTP, page 2

• Restrictions for NetFlow Reliable Export With SCTP, page 2

• Information About NetFlow Reliable Export With SCTP, page 2

• How to Configure NetFlow Reliable Export with SCTP, page 9

• Configuration Examples for NetFlow Reliable Export With SCTP, page 27

• Additional References, page 29

• Feature Information for NetFlow Reliable Transport Using SCTP, page 31

• Glossary, page 32

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

NetFlow Configuration Guide, Cisco IOS Release 15S 1

http://www.cisco.com/cisco/psn/bssprt/bss

http://www.cisco.com/go/cfn

Prerequisites for NetFlow Reliable Export With SCTPNetFlow and Cisco Express Forwarding (CEF), distributed CEF (dCEF), or fast switching must be configuredon your system.

Restrictions for NetFlow Reliable Export With SCTPThe NetFlow SCTP collector must support SCTP.

Information About NetFlow Reliable Export With SCTP

NetFlow Data CaptureNetFlow identifies packet flows for both ingress and egress IP packets. It does not involve any connection-setupprotocol. NetFlow is completely transparent to the existing network, including end stations and applicationsoftware and network devices like LAN switches. Also, NetFlow capture and export are performedindependently on each internetworking device; NetFlow need not be operational on each router in the network.

NetFlow is supported on IP and IP encapsulated traffic over most interface types and Layer 2 encapsulations.

You can display and clear NetFlow statistics. NetFlow statistics consist of IP packet size distribution, IP flowswitching cache information, and flow information.

NetFlow BenefitsNetFlow can capture a rich set of traffic statistics. These traffic statistics include user, protocol, port, and typeof service (ToS) information that can be used for a wide variety of purposes, including network traffic analysisand capacity planning, security, enterprise accounting and departmental chargebacks, Internet Service Provider(ISP) billing, data warehousing, and data mining for marketing purposes.

Network Application and User Monitoring

NetFlow data enables you to view detailed, time and application based usage of a network. This informationallows you to plan and allocate network and application resources, and provides for extensive near real-timenetwork monitoring capabilities. It can be used to display traffic patterns and application-based views. NetFlowprovides proactive problem detection and efficient troubleshooting, and it facilitates rapid problem resolution.You can use NetFlow information to efficiently allocate network resources and to detect and resolve potentialsecurity and policy violations.

Network Analysis and Planning

You can use NetFlow to capture data for extended periods of time, which enables you to track networkutilization and anticipate network growth and plan upgrades. NetFlow service data can be used to optimizenetwork planning, which includes peering, backbone upgrades, and routing policy planning. It also enablesyou to minimize the total cost of network operations while maximizing network performance, capacity, andreliability. NetFlow detects unwantedWAN traffic, validates bandwidth and quality of service (QoS) behavior,

NetFlow Configuration Guide, Cisco IOS Release 15S2

NetFlow Reliable Export With SCTPPrerequisites for NetFlow Reliable Export With SCTP

and enables the analysis of new network applications. NetFlow offers valuable information that you can useto reduce the cost of operating the network.

Denial of Service and Security Analysis

You can use NetFlow data to identify and classify in real time denial of service (DoS) attacks, viruses, andworms. Changes in network behavior indicate anomalies that are clearly reflected in NetFlow data. The datais also a valuable forensic tool that you can use to understand and replay the history of security incidents.

Accounting and Billing

NetFlow data provides fine-grained metering for highly flexible and detailed resource utilization accounting.For example, flow data includes details such as IP addresses, packet and byte counts, timestamps, andinformation about type of service (ToS) and application ports. Service providers might utilize the informationfor billing based on time-of-day, bandwidth usage, application usage, or QoS. Enterprise customers mightutilize the information for departmental charge-back or cost allocation for resource utilization.

Traffic Engineering

NetFlow provides autonomous system (AS) traffic engineering details. You can use NetFlow-captured trafficdata to understand source-to-destination traffic trends. This data can be used for load-balancing traffic acrossalternate paths or for forwarding traffic along a preferred route. NetFlow can measure the amount of trafficcrossing peering or transit points. You can use the data to help you decide if a peering arrangement with otherservice providers is fair and equitable.

NetFlow Data Storage and Data Mining

NetFlow data can be stored for later retrieval and analysis in support of marketing and customer serviceprograms. For example, the data can be mined to find out which applications and services are being used byinternal and external users and target the users for improved service and advertising. In addition, NetFlowdata gives market researchers access to the who, what, where, and how long information relevant to enterprisesand service providers.

NetFlow Cisco IOS Packaging Information

Cisco 7200/7500/7400/MGX/AS5850

Although NetFlow functionality is included in all software images for these platforms, you must purchase aseparate NetFlow feature license. NetFlow licenses are sold on a per-node basis.

Other Routers

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support.Access Cisco Feature Navigator at http://www.cisco.com/go/fn . You must have an account on Cisco.com.If you do not have an account or have forgotten your username or password, click Cancel at the login dialogbox and follow the instructions that appear.


NetFlow Reliable Export With SCTPNetFlow Cisco IOS Packaging Information

http://www.cisco.com/go/fn

Elements of a NetFlow Network FlowANetFlow network flow is defined as a unidirectional stream of packets between a given source and destination.The source and destination are each defined by a network-layer IP address and transport-layer source anddestination port numbers. Specifically, a flow is defined by the combination of the following seven key fields:

• Source IP address

• Destination IP address

• Source port number

• Destination port number

• Layer 3 protocol type

• Type of service

• Input logical interface

These seven key fields define a unique flow. If a packet has one key field different from another packet, it isconsidered to belong to another flow. A flow might also contain other accounting fields (such as the ASnumber in the NetFlow export Version 5 flow format). The fields that a given flow contains depend on theexport record version that you configure. Flows are stored in the NetFlow cache.

NetFlow Main Cache OperationThe key components of NetFlow are the NetFlow cache that stores IP flow information and the NetFlowexport or transport mechanism that sends NetFlow data to a network management collector, such as theNetFlow Collection Engine. NetFlow operates by creating a NetFlow cache entry (a flow record) for eachactive flow. NetFlow maintains a flow record within the cache for each active flow. Each flow record in theNetFlow cache contains values for the fields that are being monitored that can later be exported to a collectiondevice, such as the NetFlow Collection Engine.

NetFlow Data CaptureNetFlow captures data from ingress (incoming) and egress (outgoing) packets. NetFlow gathers data for thefollowing ingress IP packets:

• IP-to-IP packets

• IP-to-Multiprotocol Label Switching (MPLS) packets

NetFlow captures data for all egress (outgoing) packets through use of the following features:

• Egress NetFlow Accounting--NetFlow gathers data for all egress packets for IP traffic only.

• NetFlow MPLS Egress--NetFlow gathers data for all egress MPLS-to-IP packets.


NetFlow Reliable Export With SCTPElements of a NetFlow Network Flow

NetFlow Export FormatsNetFlow exports data in User Datagram Protocol (UDP) datagrams in one of five formats: Version 9, Version8, Version 7, Version 5, or Version 1. Version 9 export format, the latest version, is the most flexible andextensible format. Version 1 was the initial NetFlow export format; Version 8 only supports export fromaggregation caches, and Version 7 is supported only on certain platforms. (Versions 2 through 4 and Version6 were either not released or are not supported.)

• Version 9--A flexible and extensible format, which provides the versatility needed for support of newfields and record types. This format accommodates newNetFlow-supported technologies such asMPLS,and Border Gateway Protocol (BGP) next hop. The distinguishing feature of the NetFlow Version 9format is that it is template based. Templates provide an extensible design to the record format, a featurethat should allow future enhancements to NetFlow services without requiring concurrent changes to thebasic flow-record format. Internet Protocol Information Export (IPFIX) was based on the Version 9export format.

• Version 8--A format added to support data export from aggregation caches. Version 8 allows exportdatagrams to contain a subset of the usual Version 5 export data, if that data is valid for a particularaggregation cache scheme.

• Version 7--A version supported on a Catalyst 6000 series switch with a multilayer switch feature card(MSFC) running CatOS Release 5.5(7) and later. On a Catalyst 6000 series switch with an MSFC, youcan export using either the Version 7 or the Version 8 format.

• Version 5--A version that adds BGP AS information and flow sequence numbers.

• Version 1--The initially released export format, rarely used today. Do not use the Version 1 export formatunless the legacy collection system you are using requires it. Use either the Version 9 export format orthe Version 5 export format for data export from the main cache.

NetFlow Reliable Export With SCTPPrior to the introduction of the NetFlow Reliable Export With SCTP feature in Cisco IOS Release 12.4(4)Texporting NetFlow information was unreliable because NetFlow encapsulated the exported traffic in UDPpackets for transmission to the NFC. Using an unreliable transport protocol such as UDP for sending informationacross a network has two major disadvantages:

• Lack of congestion awareness--The exporter sends packets as fast as it can generate them, without anyregard to the bandwidth available on the network. If the link is fully congested when the NetFlow routerattempts to send, the packet might simply be dropped, either before it is put on the exporter’s outputqueue or before it gets to the next hop's input queue.

• Lack of reliability--With export over UDP, the collector has no method of signaling to the exporter thatit didn't receive an exported packet. Most versions of NetFlow export packet contain a sequence number,so the collector often knows when it has lost a packet. But given that the exporter discards the exportpacket as soon as it has been sent and that the NetFlow router lacks a mechanism to request aretransmission of the packet, exporting over UDP can be considered to be unreliable

The NetFlow Reliable Export With SCTP feature uses the SCTP to overcome the two major disadvantagesof using UDP as the transport layer protocol:


NetFlow Reliable Export With SCTPNetFlow Export Formats

• SCTP has a congestion control mechanism to ensure that the router does not send data to the collectorfaster than it can receive it.

• SCTP transmits messages in a reliable manner. SCTP messages are buffered on the router until theyhave been acknowledged by the collector. Messages that are not acknowledged by the collector areretransmitted by the router.

SCTP is a reliable message-oriented transport layer protocol, which allows data to be transmitted betweentwo end-points in a reliable, partially reliable, or unreliable manner. An SCTP session consists of an associationbetween two end-points, which may contain one or more logical channels called streams. SCTP’s stream basedtransmission model facilitates the export of a mix of different data types, such as NetFlow templates andNetFlow data, over the same connection. The maximum number of inbound and outbound streams supportedby an end-point is negotiated during the SCTP association initialization process.

When you configure the NetFlow Version 9 Export and NetFlow Reliable Export features, NetFlow createsa minimum of two streams--stream 0 for templates and options, and one or more streams for carrying data,as required. The following commands are not applicable when you configure the NetFlow Version 9 Exportand NetFlow Reliable Export features together because NetFlow Reliable Export export connections useSCTP reliable stream 0 for NetFlow Version 9 Export, and these commands apply only to NetFlow exportconnections that use UDP:

• ip flow-export template refresh-rate

• ip flow-export template timeout-rate

• ip flow-export template options refresh-rate

• ip flow-export template options timeout-rate

When more than one cache (main cache and one or more aggregation caches) is exporting data, each cachecreates its own streams with their own configured reliability levels. For example, you can configure the maincache to use SCTP in full reliability mode and the NetFlow prefix aggregation cache to use partial reliabilitymode to send messages to the same collector using the same SCTP port.

When you are using SCTP as the transport protocol for exporting NetFlow traffic, the traffic is usuallyreferred to as messages instead of datagrams because SCTP is a message-oriented protocol. When youare using UDP as the transport protocol for exporting NetFlow traffic, the traffic is usually referred to asdatagrams because UDP is a datagram-oriented protocol.

Note

Security

SCTP contains several built-in features to counter many common security threats such as the syn-flood typeof DoS attack.

SCTP uses the following techniques to resist flooding attacks:

• A four-way start-up handshake is used to ensure that anyone opening an association is a genuine caller,rather the someone performing a 'syn-flood' type of DoS attack.

• Cookies are used to defer commitment of resources at the responding SCTP node until the handshakeis completed.

• Verification Tags are used to prevent insertion of extraneous packets into the flow of an establishedassociation.


NetFlow Reliable Export With SCTPNetFlow Reliable Export With SCTP

Reliability Options

SCTP allows data to be transmitted between two end-points (a router running NetFlow SCTP export and acollector that is receiving and acknowledging the SCTP messages) in a reliable manner. In addition to thedefault behavior of full reliability, SCTP can be configured for partially-reliable or unreliable transmissionfor applications that do not require full reliability.

When SCTP is operating in full reliability mode, it uses a selective-acknowledgment scheme to guarantee theordered delivery of messages. The SCTP protocol stack buffers messages until their receipt has beenacknowledged by the receiving end-point. (collector). SCTP has a congestion control mechanism that can beused to limit how much memory is consumed by SCTP for buffering packets.

If a stream is specified as unreliable, then the packet is simply sent once and not buffered on the exporter. Ifthe packet is lost enroute to the receiver, the exporter cannot retransmit it.

When a stream is specified as partially-reliable a limit is placed on how much memory should be dedicatedto storing un-acknowledged packets. The limit on how much memory should be dedicated to storingunacknowledged packets is configurable by means of the buffer-limit limit command. If the limit on howmuch memory should be dedicated to storing unacknowledged packets is exceeded and the router attemptsto buffer another packet, the oldest unacknowledged packet is discarded. When SCTP discards the oldestunacknowledged packet, a message called a forward-tsn (transmit sequence number) is sent to the collectorto indicate that this packet will not be received. This prevents NetFlow from consuming all the free memoryon a router when a situation has arisen which requires many packets to be buffered, for example when SCTPis experiencing long response times from an SCTP peer connection.

When SCTP is operating in partially reliable mode, the limit on how much memory should be dedicated tostoring un-acknowledged packets should initially be set as high as possible. The limit can be reduced if otherprocesses on the router begin to run out of memory. Deciding on the best value for the limit involves a trade-offbetween avoiding starving other processes of the memory that they require to operate and dropping SCTPmessages that have not been acknowledged by the collector.

Unreliable SCTP can be used when the collector that you are using doesn’t support UDP as a transport protocolfor receiving NetFlow export datagrams and you do not want to allocate the resources on your router requiredto provide reliable, or partially reliable, SCTP connections.

Congestion Avoidance

SCTP uses congestion avoidance algorithms that are similar to those for TCP. An SCTP end-point advertisesthe size of its receive window (rWnd) to ensure that a sender cannot flood it with more messages than it canstore in its input queues.

Each SCTP sender also maintains a congestion window (cWnd), which determines the number ofunacknowledged packets that can be outstanding at a given time. SCTP uses the same 'slow-start' algorithmas TCP, in which it starts with a small cWnd and gradually increases it until it reaches its optimum size.

Whenever a packet isn't acknowledged within the given timeout period, the value of cWnd is halved. Thismethod of congestion avoidance is known as added increase / multiplicative decrease and has been shown tobe the most effective congestion avoidance algorithm in most circumstances.

SCTP also employs the fast-retransmit algorithm whereby it retransmits a message if it receivesacknowledgments from four messages which were sent after the message in question. This is preferable towaiting for the timeout period to elapse and triggering a retransmit of the message.

Options for Backup Collectors

You can configure a backup collector for SCTP. It is used as a message destination in the event that the primarycollector becomes unavailable. When connectivity with the primary collector has been lost, and a backup



collector is configured, SCTP begins using the backup collector. The default period of time that SCTP waitsuntil it starts using the backup collector is 25 milliseconds (msec). You can configure a different value forinterval with the fail-over time command.

The router sends periodic SCTP heartbeat messages to the SCTP collectors that you have configured. Therouter uses the SCTP heartbeat message acknowledgements from the collectors to monitor the status of eachcollector. This allows an application, such as NetFlow, to be quickly informedwhen connectivity to a collectoris lost.

You can configure SCTP backup in fail-over or redundant mode. When the router is configured with SCTPbackup in fail-over mode, the router waits to activate the association with the backup collector until the routerhas not received acknowledgements for the SCTP heartbeat messages from the primary collector for the timespecified by the fail-over time command (or the default of 25 msec if this parameter has not been modified).

SCTP retransmits messages that have not been acknowledged three times. The router will initiate fail-overafter three retransmissions of the same message are not acknowledged by the primary collector.

Note

When the router is configured with SCTP backup in redundant mode, the router activates the association withthe backup collector immediately, and if NetFlow v9 export is configured the router sends the (options)templates in advance. The router will not start sending other SCTPmessages to a backup collector in redundantmode until the router has not received acknowledgments for the SCTP heartbeat messages from the primarycollector for the time specified by the fail-over time command. Fail-over mode is the preferred method whenthe backup collector is on the end of an expensive lower-bandwidth link such as ISDN.

During the time that SCTP is using the backup collector, SCTP continues to try to restore the association withthe primary collector. This goes on until connectivity is restored or the primary SCTP collector is removedfrom the configuration.

When connectivity to the primary collector is available again, the router waits for a period of time beforereverting to using it as the primary destination. You configure the value of the period of time that SCTP waitsuntil reverting to the primary collector with the restore-time time command. The default period of time thatSCTP waits until it reverts to the primary collector is 25 sec.

Under either fail-over mode any records which have been queued between losing connectivity with the primarydestination and establishing the association with the backup collector might be lost. A count is maintained ofhow many records were lost. It can be viewed with the show ip flow export sctp verbose command.

To avoid a flapping SCTP association with a collector (the SCTP association goes up and down in quicksuccession), the time period configured with the restore-time time command should be greater than the periodof a typical connectivity problem. For example, your router is configured to use IP fast convergence for itsrouting table and you have a LAN interface that is going up and down repeatedly (flapping). That causes theIP route to the primary collector to be added and removed from the routing table repeatedly (route flapping)every 2000 msec (2 sec). you need to configure the restore time for a value greater than 2000 msecs.

The backup connection uses stream 0 for sending templates, options templates, and option data record. Thedata stream(s) inherit the reliability settings of the primary connection.

Export to Multiple Collectors

You can configure your networking device to export NetFlow data to a maximum of two export destinations(collectors) per cache (main and aggregation caches), using any combination of UDP and SCTP. A destinationis identified by a unique combination of hostname or IP address and port number or port type. The table belowshows examples of permitted multiple NetFlow export destinations for each cache.



Table 1: Examples of Permitted Multiple NetFlow Export Destinations for Each Cache

Second Export DestinationFirst Export Destination

ip flow-export 10.25.89.32 285 udpip flow-export 10.25.89.32 100 udp



ip flow-export 10.25.89.32 100 sctpip flow-export 10.25.89.32 100 udp

ip flow-export 10.25.89.32 285 sctpip flow-export 10.25.89.32 100 sctp



The most common use of the multiple-destination feature is to send the NetFlow cache entries to two differentdestinations for redundancy. Therefore, in most cases the second destination IP address is not the same as thefirst IP address. The port numbers can be the same when you are configuring two unique destination IPaddresses. If you want to configure both instances of the command to use the same destination IP address,you must use unique port numbers. You receive a warning message when you configure the two instances ofthe command with the same IP address. The warning message is, "%Warning: Second destination address isthe same as previous address <ip-address>".

SCTP Support For Export Formats

SCTP based reliable transport is available for all NetFlow export formats: Versions 1, 5, 8 and 9.

How to Configure NetFlow Reliable Export with SCTPYou can configure two primary SCTP export destinations (collectors) and two backup SCTP export destinationsfor each NetFlow cache (main cache and aggregation caches). The backup SCTP export destinations inheritthe reliability characteristics of the primary SCTP export destination. For example, if you configure partialreliability with a buffer limit of 2000 packets for the primary SCTP export destination, the backup SCTPdestination also uses partial reliability and a buffer limit of 2000 packets.

You can use several permutations when you configure NetFlow Reliable Export With SCTP. The most basicconfiguration requires only one SCTP export destination. The other tasks below explain how to configuresome of the more common permutations of NetFlow Reliable Export With SCTP.

Configuring NetFlow SCTP Export for One Export DestinationThis is the most basic NetFlow SCTP export configuration. This NetFlow SCTP export configuration usesfull reliability.


NetFlow Reliable Export With SCTPHow to Configure NetFlow Reliable Export with SCTP

Before You Begin

You must have NetFlow enabled on at least one interface in your router before you can export NetFlow data.

You must have a NetFlow collector in your network that supports NetFlow SCTP export.

SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. end5. show ip flow export sctp verbose

DETAILED STEPS

Step 1 enableEnters privileged EXEC mode.

Example:

Router> enable

Step 2 configure terminalEnters global configuration mode.

Example:

Router# configure terminal

Step 3 ip flow-export destination [ip-address | hostname] port sctpConfigures an export destination using SCTP on port 100.

Example:

Router (config)# ip flow-export destination 172.16.12.200 100 sctp

Step 4 endReturns to privileged EXEC mode.

Example:

Router(config-flow-export-sctp)# end

Step 5 show ip flow export sctp verboseDisplays the status and statistics for NetFlow SCTP export. Reliability is set to the default of full.

Example:

Router# show ip flow export sctp verbose


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination

IPv4 main cache exporting to 172.16.12.200, port 100, fullstatus: connectedbackup mode: redundant4 flows exported in 4 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 seconds

Configuring NetFlow SCTP Export for One Export Destination with PartialReliability

This NetFlow SCTP export configuration uses partial reliability.

Before You Begin



SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. reliability partial buffer-limit limit5. end6. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable


Example:




NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination with Partial Reliability

Example:


Step 4 reliability partial buffer-limit limitConfigures partial reliability for this SCTP export destination and sets the packet buffer limit to 3000.

Example:

Router(config-flow-export-sctp)# reliability partial buffer-limit 3000


Example:


Step 6 show ip flow export sctp verboseDisplays the status and statistics for NetFlow SCTP export. Reliability is now set to partial.

Example:


Pv4 main cache exporting to 172.16.12.200, port 100, partialstatus: connectedbackup mode: redundant11 flows exported in 11 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 seconds

Configuring NetFlow SCTP Export for One Export Destination with No ReliabilityReliability is disabled in this NetFlow SCTP export configuration.

Before You Begin




NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination with No Reliability

SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. reliability none5. end6. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable


Example:



Example:


Step 4 reliability noneConfigures partial reliability for this SCTP export destination and sets the packet buffer limit to none.

Example:

Router(config-flow-export-sctp)# reliability none


Example:


Step 6 show ip flow export sctp verboseDisplays the status and statistics for NetFlow SCTP export. Reliability is now set to none.


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination with No Reliability

Example:


Pv4 main cache exporting to 172.16.12.200, port 100, nonestatus: connectedbackup mode: redundant15 flows exported in 15 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 seconds

Configuring NetFlow SCTP Export for One Export Destination and One BackupExport Destination

This NetFlow SCTP export configuration uses full reliability, a backup SCTP export destination, and redundantmode backup.

Before You Begin



SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. backup destination [ip-address | hostname] sctp-port5. end6. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable



NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination and One Backup Export Destination

Example:



Example:


Step 4 backup destination [ip-address | hostname] sctp-portConfigures an SCTP backup destination using SCTP on port 200.

Example:

Router(config-flow-export-sctp)# backup destination 192.168.247.198 200


Example:


Step 6 show ip flow export sctp verboseDisplays the status and statistics for NetFlow SCTP export. Backup mode is redundant. The association with the SCTPbackup export destination is active (connected). The SCTP backup export destination is not being used because theprimary export destination is still active (connected).

Example:


IPv4 main cache exporting to 172.16.12.200, port 100, fullstatus: connectedbackup mode: redundant35 flows exported in 35 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.247.198, port 200

status: connectedfail-overs: 00 flows exported in 0 sctp messages.0 packets dropped due to lack of SCTP resources


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination and One Backup Export Destination

Configuring NetFlow SCTP Export for One Export Destination and One BackupExp Dest With Fail-Over Mode Backup

Perform this task to configure NetFlow SCTP export for one export and one backup destination with fail-overmode backup.

Before You Begin



This NetFlow SCTP export configuration uses full reliability, a backup SCTP export destination, and fail-overmode backup.

The backup fail-over and restore times are modified here so that you can see an example of how to configurethese commands. The values used in this example might not be suitable for your network. If you want tooverride the default values for the fail-over and restore times you need to analyze the performance of yournetwork and the collector that you are using to determine values that are appropriate for your network.

Note

SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. backup destination [ip-address | hostname] sctp-port5. backup mode fail-over6. backup fail-over fail-over-time7. backup restore-time restore-time8. end9. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable



NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination and One Backup Exp Dest With Fail-Over Mode Backup

Example:



Example:



Example:


Step 5 backup mode fail-overConfigures the router to fail-over mode for the backup export destination.

Example:

Router(config-flow-export-sctp)# backup mode fail-over

Step 6 backup fail-over fail-over-timeThe length of time that the router will wait until failing over to the backup SCTP export destination has been increasedto 3500 msec.

Example:

Router(config-flow-export-sctp)# backup fail-over 3500

Step 7 backup restore-time restore-timeThe length of time that the router will wait until reverting to the primary SCTP export destination has been increased to1500 msecs.

Example:

Router (config)# backup restore-time 1500


Example:


Step 9 show ip flow export sctp verbose


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Export Destination and One Backup Exp Dest With Fail-Over Mode Backup

Displays the status and statistics for NetFlow SCTP export. Backup mode is fail-over. The association with the SCTPbackup export destination is not active (not connected) because NetFlow SCTP export waits to activate the associationwith the backup destination until the primary export destination is no longer available.

Example:


IPv4 main cache exporting to 172.16.12.200, port 100, fullstatus: connectedbackup mode: fail-over114 flows exported in 93 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 3500 milli-secondsrestore time: 1500 secondsbackup: 192.168.247.198, port 200

status: not connectedfail-overs: 00 flows exported in 0 sctp messages.0 packets dropped due to lack of SCTP resources

Configuring NetFlow SCTP Export for Two Export Destinations and Two BackupExport Destinations

This configuration is the most basic SCTP export configuration that uses multiple export destinations. Youcan configure a maximum of two export destinations for every NetFlow cache.

Each SCTP export destination has its own area in the configuration file for the options that you can configurefor it such as fail-over mode, fail-over timers and reliability. Therefore you must make certain that the lastSCTP export destination that you entered in the router’s configuration is the SCTP export destination that youwant to modify.

For example, if you enter these commands in this order:

• ip flow-export destination 172.16.12.200 100 sctp

• ip flow-export destination 172.16.45.57 100 sctp

• backup destination 192.168.100.2 200

The backup destination 192.168.100.2 200 is assigned to the ip flow-export destination 172.16.45.57 100sctpcommand.

To change the SCTP export destination that you are modifying, reenter the command line for the SCTP exportdestination that you want to modify.

Before You Begin




NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for Two Export Destinations and Two Backup Export Destinations

SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. backup destination [ip-address | hostname] sctp-port5. ip flow-export destination [ip-address | hostname] port sctp6. backup destination [ip-address | hostname] sctp-port7. end8. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable


Example:



Example:



Example:


Step 5 ip flow-export destination [ip-address | hostname] port sctpConfigures a second export destination using SCTP on port 100.

Example:


Step 6 backup destination [ip-address | hostname] sctp-port


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for Two Export Destinations and Two Backup Export Destinations

Configures a second SCTP backup destination using SCTP on port 200.

Example:



Example:


Step 8 show ip flow export sctp verboseDisplays the status and statistics for the two primary and backup NetFlow SCTP export destinations. Reliability is setto the default of full.

Example:






Configuring NetFlow SCTP Export for One Fully Reliable and One PartiallyReliable Export Destination

This SCTP export configuration uses two SCTP export destinations. One of the export destinations uses fullreliability and the other export destination uses partial reliability.


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Fully Reliable and One Partially Reliable Export Destination

Before You Begin



SUMMARY STEPS

1. enable2. configure terminal3. ip flow-export destination [ip-address | hostname] port sctp4. ip flow-export destination [ip-address | hostname] port sctp5. reliability partial buffer-limit limit6. end7. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable


Example:



Example:


Step 4 ip flow-export destination [ip-address | hostname] port sctpConfigures a second export destination using SCTP on port 100.

Example:


Step 5 reliability partial buffer-limit limitConfigures partial reliability for this SCTP export destination and sets the packet buffer limit to 3000.


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for One Fully Reliable and One Partially Reliable Export Destination

Example:

Router(config-flow-export-sctp)# reliability partial buffer-limit 3000


Example:


Step 7 show ip flow export sctp verboseDisplays the status and statistics for NetFlow export with SCTP. Reliability is set to full for SCTP export destination172.16.12.200 and to partial SCTP export destination 172.16.45.57.

Example:




IPv4 main cache exporting to 172.16.45.57, port 100, partialstatus: connectedbackup mode: redundant76 flows exported in 57 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.100.2, port 200


Configuring NetFlow SCTP Export for the NetFlow Source-Prefix AggregationCache

This SCTP export example shows how to configure NetFlow SCTP export for the NetFlow source prefixaggregation cache. You can configure a maximum of two export destinations for every NetFlow cache.

When you enter NetFlow aggregation cache configurationmode in the router the current router prompt changesto reflect this mode.


NetFlow Reliable Export With SCTPConfiguring NetFlow SCTP Export for the NetFlow Source-Prefix Aggregation Cache

For example, if the current router prompt is, Router(config)# and you enter the ip flow-aggregation cacheprefix command, the router prompt is changed to the NetFlow aggregation cache configuration prompt ofRouter(config-flow-cache)#.

You need to pay close attention when you are configuring NetFlow SCTP export options for NetFlowaggregation caches because the NetFlow aggregation cache configuration prompt is changed to the NetFlowSCTP export prompt when you enter a NetFlow SCTP export command in NetFlow aggregation cacheconfiguration mode, even though you are still working in NetFlow aggregation cache configuration mode.

For example, if your current prompt is the NetFlow aggregation cache configuration prompt,Router(config-flow-cache)#, and you enter the export destination 172.16.12.200 100 sctp command, therouter prompt will change to the NetFlow SCTP export configuration mode prompt,Router(config-flow-export-sctp)#. The NetFlow SCTP export commands that you configure are assigned tothe NetFlow aggregation cache that you are modify with NetFlow SCTP export options.

Use the configuration in the Configuration Examples for NetFlow Reliable Export With SCTP, on page 27to practice using the different configuration modes

PrerequisitesYou must have NetFlow enabled on at least one interface in your router before you can export NetFlow data.


SCTP Export for NetFlow Aggregation CachesAll of the NetFlow SCTP options that are available for the main NetFlow cache are also available in NetFlowAggregation cache mode.

SUMMARY STEPS

1. enable2. configure terminal3. ip flow-aggregation cache aggregation-cache-type4. enable5. export destination [ip-address | hostname] port sctp6. end7. show ip flow export sctp verbose

DETAILED STEPS


Example:

Router> enable




Example:


Step 3 ip flow-aggregation cache aggregation-cache-typeEnters NetFlow aggregation cache mode for the cache type.

Example:

Router (config)# ip flow-aggregation cache source-prefix

Step 4 enableActivates the NetFlow aggregation cache.

Example:

Router(config-flow-cache)# enable

Step 5 export destination [ip-address | hostname] port sctpConfigures an export destination using SCTP for the aggregation cache.

Example:

Router (config-flow-cache)# export destination 172.16.12.200 100 sctp


Example:


Step 7 show ip flow export sctp verboseDisplays the status and statistics for NetFlow export with SCTP.

Example:


source-prefix cache exporting to 172.16.12.200, port 100, fullstatus: connectedbackup mode: redundant0 flows exported in 0 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 seconds



Verifying NetFlow Reliable Export With SCTPThe show ip flow export sctp [verbose]command provides information on the status and statistics of theoptions that you have configured for the NetFlow Reliable Export With SCTP feature.

Cisco IOS also provides commands for monitoring and troubleshooting the status and statistics for all of theSCTP features (including NetFlow Reliable Export With SCTP) that you have configured on the networkingdevice. Refer to the Stream Control Transmission Protocol (SCTP) , Release 2 configuration guidehttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ft_sctp2.htm for moreinformation on interpreting the output from these commands, and the other commands that are available formonitoring and troubleshooting SCTP.

SUMMARY STEPS

1. show ip sctp association list2. show ip sctp association parameters association-id3. show ip sctp errors4. show ip sctp instances5. show ip sctp statistics

DETAILED STEPS

Step 1 show ip sctp association listShows the list of SCTP associations.

Example:

Router# show ip sctp association list** SCTP Association List **AssocID: 0, Instance ID: 0Current state: ESTABLISHEDLocal port: 51882, Addrs: 172.16.6.2Remote port: 100, Addrs: 172.16.12.200AssocID: 1, Instance ID: 1Current state: ESTABLISHEDLocal port: 59004, Addrs: 172.16.6.2Remote port: 200, Addrs: 192.168.247.198

Step 2 show ip sctp association parameters association-idDisplays the current parameters for the association ID.

Example:

Router# show ip sctp association parameters 0** SCTP Association Parameters **AssocID: 0 Context: 1 InstanceID: 0Assoc state: ESTABLISHED Uptime: 00:19:44.504Local port: 51882Peers Adaption layer indication is NOT setLocal addresses: 172.16.6.2Remote port: 100Primary dest addr: 172.16.12.200Effective primary dest addr: 172.16.12.200Destination addresses:


NetFlow Reliable Export With SCTPVerifying NetFlow Reliable Export With SCTP

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ft_sctp2.htm

172.16.12.200: State: ACTIVE(CONFIRMED)Heartbeats: Enabled Timeout: 500 msRTO/RTT/SRTT: 5000/0/3 ms TOS: 0 MTU: 1500cwnd: 3000 ssthresh: 9000 outstand: 0Num retrans: 0 Max retrans: 2 Num times failed: 0

Local vertag: DAF7029F Remote vertag: A3923131Num inbound streams: 20 outbound streams: 20Max assoc retrans: 2 Max init retrans: 2CumSack timeout: 200 ms Bundle timeout: 100 msMin RTO: 5000 ms Max RTO: 5000 msMax Init RTO (T1): 1000 msLocalRwnd: 9000 Low: 9000 RemoteRwnd: 9000 Low: 8936Congest levels: 0 current level: 0 high mark: 1

Step 3 show ip sctp errorsShows any SCTP errors that have occurred.

Example:

Router# show ip sctp errors** SCTP Error Statistics **No SCTP errors logged.

Step 4 show ip sctp instancesShows the details and status for the SCTP instances.

Example:

Router# show ip sctp instances** SCTP Instances **Instance ID: 0 Local port: 51882 State: availableLocal addrs: 172.16.6.2Default streams inbound: 20 outbound: 20Adaption layer indication is not setCurrent associations: (max allowed: 6)AssocID: 0 State: ESTABLISHED Remote port: 100Dest addrs: 172.16.12.200

Instance ID: 1 Local port: 59004 State: availableLocal addrs: 172.16.6.2Default streams inbound: 20 outbound: 20Adaption layer indication is not setCurrent associations: (max allowed: 6)AssocID: 1 State: ESTABLISHED Remote port: 200Dest addrs: 192.168.247.198

Step 5 show ip sctp statisticsShows the SCTP overall statistics:

Example:

Router# show ip sctp statistics** SCTP Overall Statistics **Control ChunksSent: 615 Rcvd: 699

Data Chunks SentTotal: 57 Retransmitted: 0Ordered: 57 Unordered: 0Total Bytes: 3648

Data Chunks RcvdTotal: 0 Discarded: 0Ordered: 0 Unordered: 0Total Bytes: 0Out of Seq TSN: 0

SCTP Dgrams


NetFlow Reliable Export With SCTPVerifying NetFlow Reliable Export With SCTP

Sent: 671 Rcvd: 699ULP DgramsSent: 57 Ready: 0 Rcvd: 0

Additional StatsAssocs Currently Estab: 2Active Estab: 2 Passive Estab: 0Aborts: 0 Shutdowns: 0T1 Expired: 1 T2 Expired: 0

Configuration Examples for NetFlow Reliable Export With SCTPThe following example includes these NetFlow accounting and NetFlow SCTP export features:

• NetFlow ingress and egress accounting

• Multiple SCTP export destinations for the Main NetFlow cache with backup destinations

• Multiple SCTP export destinations for the NetFlow protocol-port aggregation cache using partial reliabilityand fail-over mode backup destinations

• Multiple SCTP export destinations for the NetFlow bgp-nexthop-tos aggregation cache with reliabilitydisabled and redundant mode backup destinations

Router# show running-config...interface Ethernet0/0.1ip address 172.16.6.2 255.255.255.0ip flow ingress!!interface Ethernet1/0.1ip address 172.16.7.1 255.255.255.0ip flow egress!ip flow-export destination 172.16.45.57 100 sctpreliability partial buffer-limit 3000backup destination 192.168.100.2 200!ip flow-export destination 172.16.12.200 100 sctpreliability partial buffer-limit 3000backup destination 192.168.247.198 200!ip flow-aggregation cache protocol-portexport destination 172.16.12.200 100 sctpreliability partial buffer-limit 3000backup destination 192.168.247.198 200backup mode fail-overexport destination 172.16.45.57 100 sctpreliability partial buffer-limit 3000backup destination 192.168.100.2 200backup mode fail-overenabled!ip flow-aggregation cache bgp-nexthop-tosexport version 9export destination 172.16.12.200 100 sctpbackup destination 192.168.247.198 200export destination 172.16.45.57 100 sctpbackup destination 192.168.100.2 200


NetFlow Reliable Export With SCTPConfiguration Examples for NetFlow Reliable Export With SCTP

enabled!The display output of the show ip flow export sctp verbose command shows the status and statistics for thisconfiguration example:

Router# show ip flow export sctp verboseIPv4 main cache exporting to 172.16.45.57, port 100, partialstatus: connectedbackup mode: redundant104 flows exported in 84 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.100.2, port 200


IPv4 main cache exporting to 172.16.12.200, port 100, partialstatus: connectedbackup mode: redundant104 flows exported in 84 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.247.198, port 200


protocol-port cache exporting to 172.16.12.200, port 100, partialstatus: connectedbackup mode: fail-over19 flows exported in 18 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.247.198, port 200


protocol-port cache exporting to 172.16.45.57, port 100, partialstatus: connectedbackup mode: fail-over15 flows exported in 15 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.100.2, port 200


bgp-nexthop-tos cache exporting to 172.16.12.200, port 100, fullstatus: connectedbackup mode: redundant20 flows exported in 10 sctp messages.0 packets dropped due to lack of SCTP resourcesfail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.247.198, port 200


bgp-nexthop-tos cache exporting to 172.16.45.57, port 100, fullstatus: connectedbackup mode: redundant20 flows exported in 10 sctp messages.0 packets dropped due to lack of SCTP resources


NetFlow Reliable Export With SCTPConfiguration Examples for NetFlow Reliable Export With SCTP

fail-over time: 25 milli-secondsrestore time: 25 secondsbackup: 192.168.100.2, port 200


Additional ReferencesRelated Documents

Document TitleRelated Topic

Cisco IOS NetFlow OverviewOverview of Cisco IOS NetFlow

Getting Started with Configuring NetFlow andNetFlow Data Export

The minimum information about and tasks requiredfor configuring NetFlow and NetFlow Data Export

Configuring NetFlow and NetFlow Data ExportTasks for configuring NetFlow to capture and exportnetwork traffic data

Configuring MPLS Aware NetFlowTasks for configuring Configuring MPLS AwareNetFlow

Configuring MPLS Egress NetFlow Accounting andAnalysis

Tasks for configuring MPLS egress NetFlowaccounting

Using NetFlow Filtering or Sampling to Select theNetwork Traffic to Track

Tasks for configuring NetFlow input filters

Using NetFlow Filtering or Sampling to Select theNetwork Traffic to Track

Tasks for configuring Random Sampled NetFlow

Configuring NetFlow Aggregation CachesTasks for configuring NetFlow aggregation caches

Configuring NetFlow BGP Next Hop Support forAccounting and Analysis

Tasks for configuring NetFlowBGP next hop support

Configuring NetFlow Multicast AccountingTasks for configuring NetFlow multicast support

Detecting and Analyzing Network Threats WithNetFlow

Tasks for detecting and analyzing network threatswith NetFlow

NetFlow Layer 2 and Security Monitoring ExportsTasks for configuring NetFlow Layer 2 and SecurityMonitoring Exports

Configuring SNMP and using the NetFlow MIB toMonitor NetFlow Data

Tasks for configuring the SNMP NetFlow MIB


NetFlow Reliable Export With SCTPAdditional References

Document TitleRelated Topic

Configuring NetFlow Top Talkers using Cisco IOSCLI Commands or SNMP Commands

Tasks for configuring the NetFlow MIB and TopTalkers feature

Cisco CNS NetFlow Collection EngineDocumentation

Information for installing, starting, and configuringthe CNS NetFlow Collection Engine

Standards

TitleStandards

--No new or modified standards are supported by thisfeature, and support for existing standards has notbeen modified by this feature.

MIBs

MIBs LinkMIBs

To locate and downloadMIBs for selected platforms,Cisco IOS releases, and feature sets, use Cisco MIBLocator found at the following URL:

http://www.cisco.com/go/mibs

No new or modified MIBs are supported by thisfeature, and support for existing MIBs has not beenmodified by this feature.

RFCs

TitleRFC

Cisco Systems NetFlow Services Export Version 9RFC 3954

Stream Control Transmission ProtocolRFC2690

Stream Control Transmission Protocol-PartialReliability Extension

RFC 3578

Technical Assistance

LinkDescription

http://www.cisco.com/techsupportThe Cisco Technical Support website containsthousands of pages of searchable technical content,including links to products, technologies, solutions,technical tips, and tools. Registered Cisco.com userscan log in from this page to access evenmore content.


NetFlow Reliable Export With SCTPAdditional References

http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/prod_installation_guides_list.html

http://www.cisco.com/go/mibs

http://www.ietf.org/rfc/rfc3954.txt




http://www.cisco.com/techsupport

Feature Information for NetFlow Reliable Transport Using SCTPThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.


NetFlow Reliable Export With SCTPFeature Information for NetFlow Reliable Transport Using SCTP

http://www.cisco.com/go/cfn

Table 2: Feature Information for NetFlow Reliable Transport Using SCTP

Feature Configuration InformationReleasesFeature Name

TheNetFlowReliable ExportWithSCTP feature provides a morerobust and flexible method forexporting NetFlow data tocollectors than UDP, which wasthe only transport option prior tothe introduction of this feature.

NetFlow Reliable Export WithSCTP has the following benefits:

• Backup destinations--Youcan configure backupdestinations for every SCTPexport destination. Thebackup destinations can useredundant mode (alwaysconnected) and fail-overmode (connect as required).Fail-over mode is moresuitable for backupdestinations that arereachable over expensivedial-up links such as ISDN.

• Reliability--NetFlow SCTPprovides a very reliable levelof transport that has errorcorrection and flow control.You can modify the level ofreliability for each SCTPexport destination dependingon the importance of the datathat you are exporting.

The following commands wereintroduced or modified by thisfeature: ip flow export, show ipflow export, and export.

12.4(4)TNetFlow Reliable Export WithSCTP

GlossaryCEF --Cisco Express Forwarding. A Layer 3 IP switching technology that optimizes network performanceand scalability for networks with large and dynamic traffic patterns.


NetFlow Reliable Export With SCTPGlossary

BGP --Border Gateway Protocol. Interdomain routing protocol that replaces Exterior Border Gateway Protocol(EBGP). A BGP system exchanges reachability information with other BGP systems. BGP is defined by RFC1163.

BGP next hop --IP address of the next hop to be used to reach a certain destination.

data record --Provides information about an IP flow that exists on the device that produced an export packet.Each group of data records (meaning each data flowset), refers to a previously transmitted template ID, whichcan be used to parse the data within the records.

dCEF --distributed Cisco Express Forwarding. A type of CEF switching in which line cards (such as VersatileInterface Processor (VIP) line cards) maintain identical copies of the forwarding information base (FIB) andadjacency tables. The line cards perform the express forwarding between port adapters; this relieves the RouteSwitch Processor of involvement in the switching operation.

export packet --A type of packet built by a device (for example, a router) with NetFlow services enabled.The packet is addressed to another device (for example, the NetFlow Collection Engine). The packet containsNetFlow statistics. The other device processes the packet (parses, aggregates, and stores information on IPflows).

fast switching --A Cisco feature in which a route cache is used to expedite packet switching through a router.

flow --A unidirectional stream of packets between a given source and destination, each of which is definedby a network-layer IP address and transport-layer source and destination port numbers.

flowset --A collection of flow records that follow the packet header in an export packet. A flowset containsinformation that must be parsed and interpreted by the NetFlow Collection Engine. There are two differenttypes of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, andboth template and data flowsets can be mixed in the same export packet.

NetFlow --A Cisco IOS application that provides statistics on packets flowing through the router. It is emergingas a primary network accounting and security technology.

NetFlow Aggregation --A NetFlow feature that lets you summarize NetFlow export data on an IOS routerbefore the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. Thisfeature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlowdata collection devices.

NetFlow Collection Engine (formerly NetFlow FlowCollector)--A Cisco application that is used withNetFlow on Cisco routers and Catalyst 5000 series switches. The NetFlow Collection Engine collects packetsfrom the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reportson various aggregations that can be set up on the NetFlow Collection Engine.

NetFlow v9 --NetFlow export format Version 9. A flexible and extensible means of carrying NetFlow recordsfrom a network node to a collector. NetFlow Version 9 has definable record types and is self-describing foreasier NetFlow Collection Engine configuration.

options data record --A special type of data record used in the NetFlow process. It is based on an optionstemplate and has a reserved template ID that provides information about the NetFlow process itself.

options template --A type of template record used to communicate the format of data related to the NetFlowprocess.

packet header --First part of an export packet. It provides basic information about the packet (such as theNetFlow version, number of records contained in the packet, and sequence numbering) so that lost packetscan be detected.

SCTP --Stream Control Transmission Protocol. The Stream Control Transmission Protocol (SCTP) is atransport layer protocol defined in 2000 by the IETF Signaling Transport (SIGTRAN) working group. Theprotocol is defined in RFC 2960, and an introductory text is provided by RFC 3286.



template flowset --A collection of template records that are grouped in an export packet.

template ID --A unique number that distinguishes a template record produced by an export device from othertemplate records produced by the same export device. A NetFlow Collection Engine application can receiveexport packets from several devices. You should be aware that uniqueness is not guaranteed across exportdevices. The NetFlow Collection Engine should cache the address of the export device that produced thetemplate ID in order to enforce uniqueness.

template record --Defines the format of subsequent data records that might be received in current or futureexport packets. A template record within an export packet does not necessarily indicate the format of datarecords within that same packet. A NetFlow Collection Engine application must cache any template recordsreceived and then parse any data records it encounters by locating the appropriate template record in the cache.

